diff --git a/.github/workflows/infra-deploy.yml b/.github/workflows/infra-deploy.yml
index 35e4420d..ef18384f 100644
--- a/.github/workflows/infra-deploy.yml
+++ b/.github/workflows/infra-deploy.yml
@@ -5,7 +5,7 @@ on:
 
 permissions:
   id-token: write
-  contents: write
+  contents: read
   pull-requests: write
 
 jobs:
@@ -19,5 +19,5 @@ jobs:
     uses: ./.github/workflows/infra-plan-template.yml
     with:
       environment: ${{ matrix.environment }}
-      tf_state: init
+      tf_state: cert
       working_dir: infra/deploy/cert
diff --git a/.github/workflows/infra-plan-template.yml b/.github/workflows/infra-plan-template.yml
index 38e51b72..d9be2501 100644
--- a/.github/workflows/infra-plan-template.yml
+++ b/.github/workflows/infra-plan-template.yml
@@ -18,7 +18,7 @@ on:
 
 permissions:
   id-token: write
-  contents: write
+  contents: read
   pull-requests: write
 
 jobs:
diff --git a/infra/deploy/cert/provider.tf b/infra/deploy/cert/provider.tf
index 8bef2c25..a8693b25 100644
--- a/infra/deploy/cert/provider.tf
+++ b/infra/deploy/cert/provider.tf
@@ -1,4 +1,5 @@
 provider "azurerm" {
   use_oidc = true
+  use_cli  = true
   features {}
 }